World Password Day – time for a security checkup

Kayleigh Thorpe

10 months ago

With social media currently buzzing about #WorldPasswordDay, we thought it would be the perfect time to talk password security.

I imagine many of us are guilty of committing some form of password faux pas, perhaps using too short a password or maybe using the same password for every website. It’s easy to understand why this happens of course. Short passwords are convenient to type and remembering lots of passwords can be hard.

With World Password Day in mind, let’s go over how to ensure your passwords are not only memorable but reasonably secure too.

1. Make your password is at least 12 characters long

You’ll see many online guides telling you that your password needs to be at least 8 characters and to choose a mixture of upper and lower case characters; they’ll probably also advise you to use at least one number and a symbol too. Admittedly I still have a couple of passwords in this format, but that’s more because some companies are still forcing this requirement.

This approach is of course frustrating, so much so that there are thousands of Internet memes relating to our frustrations.

The problem with this style of password is that they become more unmemorable the longer they get. This in turn means that people tend to resort to shortening their passwords. Shortening your passwords is a big no no! We always recommend aiming for 12 characters or more if possible; in fact when it comes to password strength – the more the merrier. That’s a great rule of thumb.

2. Mix it up!

12 characters is a lot to aim for and it can make passwords difficult to remember, especially when it’s a string of random characters. Perhaps you should use an online password generator to help you along?

This is a password generator in action and it can be a great tool. It creates long passwords, more than 12 characters if you like, but its still far from memorable. I for one would never remember that password in a million years. I can’t relate it to anything and it means I’ll need to use a third party program, a place to store my passwords. Lets try something else:

Again, let’s be clear, resorting to shortening the password is a huge no no. Historically we’ve been told over and over that we need to add other characters to our passwords, it’s almost ingrained in our minds to change letters in names and words to numbers. Changing Charlie to Charli3 is more memorable than a string of characters. Or putting significant dates at the end such as birthdays or the year, Charlie2017 for example. It’s much easier for us, but again, it isn’t secure.

Which brings us to passphrases, longer more complex passwords – this particular example popularised by the famous web comic, XKCD and it works really well:

3. Correct Horse Battery Staple

When I first heard the phrase “correct horse battery staple”, I thought it seemed very random. To have 4 unrelated words, not making much sense. Plus it had no additional characters and a lack of uppercase letters. I thought to myself, ‘surely this isn’t as secure as what we’ve previously been taught’, but as we touched on earlier, longer passwords are simply better passwords overall. Using this approach, the password – or passphrase should we say – is infinitely more memorable.

If you want to learn why the XKCD style passphrases approach is more secure, check out the following reddit thread that refers specifically to this XKCD article and grapples with the maths.

I use this approach for the majority of my passwords, meaning they are not only memorable, but long and more secure too. Give it a try! Choose your own random string of 4 or more words and make a story out of them – one that’s certain to stick in your mind.

If you struggle to decide on your own words to use there are plenty of online password generators inspired by XKCD and the correct horse battery staple password generator:

(please note, we have no link to those password generators, they came up in a Google search, use at your own peril!).

What else…

Recent guidelines issued by the NIST are turning some older password security ideas on their head. For one, changing passwords routinely is increasingly being seen as resulting in worse security. Again it echoes what we touched on here, making passwords a pain for end users ultimately means they’ll resort to shortcuts – and that always means less security, not more.

To really enhance your overall password security, we recommend using two factor authentication or 2FA as it’s known, wherever and whenever you can. If you’re not already using such a system, you might be asking: what is two factor authentication? If you didn’t catch this post by Stuart, he explains it as follows:

“At its core, 2FA requires a user combine two components of identity in order to access a secure system. A great example of this is using a cash machine: you need both your physical card and also a pin number to access your account. Either is useless without the other. Someone trying to compromise your account would be unable to do so if they possessed only one of these. Two factor authentication makes security much harder to beat.”

We provide 2FA as standard for all 34SP.com clients on our main login at https://account.34sp.com – you may want to check with any other websites you login to online as well; the better ones will always offer you 2FA security to complement your secure – and memorable – password.